Closed
Description
openedon Feb 28, 2024
cyclonedx-maven-plugin 2.7.11 generates SBOM 1.4 when 1.5 schemaVersion is configured.
Following config was applied in pom.xml:
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.7.11</version>
<configuration>
<schemaVersion>1.5</schemaVersion>
</configuration>
<executions>
<execution>
<goals>
<goal>makeAggregateBom</goal>
</goals>
<phase>package</phase>
</execution>
</executions>
</plugin>
producing the following output:
[INFO] --- cyclonedx-maven-plugin:2.7.11:makeAggregateBom (default) @ email ---
[INFO] CycloneDX: Resolving Dependencies
[INFO] CycloneDX: Creating BOM version 1.5 with 219 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): C:\workspace\email\target\bom.xml
[INFO] attaching as email-1.3.6-SNAPSHOT-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): C:\workspace\email\target\bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO] attaching as email-1.3.6-SNAPSHOT-cyclonedx.json
But bom.json/bom.xml generated still show CycloneDX 1.4 schema
{
"bomFormat" : "CycloneDX",
"specVersion" : "1.4",
"serialNumber" : "urn:uuid:0de9d361-4247-3818-b72e-7139f0a91dee",
"version" : 1,
"metadata" : {
"timestamp" : "2024-02-28T08:46:51Z",
<?xml version="1.0" encoding="UTF-8"?>
<bom serialNumber="urn:uuid:0de9d361-4247-3818-b72e-7139f0a91dee" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment